From 08703dfc389acbe889c0f5e318fb17316bf68913 Mon Sep 17 00:00:00 2001
From: Shyaka L Tresor <shyakadev@gmail.com>
Date: Thu, 21 Mar 2024 16:16:15 +0200
Subject: [PATCH] update authorization to method

* added findById
* applied method based authorization
---
 .../keycloakresourceserver/ArticleController.java    | 10 ++++++++++
 .../keycloakresourceserver/ArticleService.java       | 12 ++++++++++--
 .../SecurityConfiguration.java                       |  3 +++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/example/keycloakresourceserver/ArticleController.java b/src/main/java/com/example/keycloakresourceserver/ArticleController.java
index 9e4857c..ebb68d9 100644
--- a/src/main/java/com/example/keycloakresourceserver/ArticleController.java
+++ b/src/main/java/com/example/keycloakresourceserver/ArticleController.java
@@ -4,7 +4,10 @@
 
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.lang.NonNull;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -34,4 +37,11 @@ public ResponseEntity<Article> createArticle(@RequestBody ArticleDto article) {
         Article created = articleService.createArticle(article);
         return new ResponseEntity<Article>(created, HttpStatus.CREATED);
     }
+
+    @GetMapping("/{id}")
+     @PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
+    public ResponseEntity<Article> getById(@PathVariable @NonNull Long id) {
+        Article article = articleService.findById(id);
+        return ResponseEntity.ok(article);
+    }
 }
diff --git a/src/main/java/com/example/keycloakresourceserver/ArticleService.java b/src/main/java/com/example/keycloakresourceserver/ArticleService.java
index d71c95b..2d9f7e1 100644
--- a/src/main/java/com/example/keycloakresourceserver/ArticleService.java
+++ b/src/main/java/com/example/keycloakresourceserver/ArticleService.java
@@ -1,8 +1,10 @@
 package com.example.keycloakresourceserver;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
+import org.springframework.lang.NonNull;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -21,11 +23,17 @@ public List<Article> getAll() {
 
     public List<ArticleDto> getAllMinified() {
         return getAll().stream()
-              .map(ArticleDto::minify)
-              .collect(Collectors.toList());
+                .map(ArticleDto::minify)
+                .collect(Collectors.toList());
     }
 
     public Article createArticle(ArticleDto article) {
         return articleRepository.save(new Article(article.getTitle(), article.getContent()));
     }
+
+    public Article findById(@NonNull Long id) {
+        Optional<Article> article = articleRepository.findById(id);
+
+        return article.orElseThrow(() -> new RuntimeException("Article not found with ID: " + id));
+    }
 }
diff --git a/src/main/java/com/example/keycloakresourceserver/SecurityConfiguration.java b/src/main/java/com/example/keycloakresourceserver/SecurityConfiguration.java
index e5ee9f9..7149ae7 100644
--- a/src/main/java/com/example/keycloakresourceserver/SecurityConfiguration.java
+++ b/src/main/java/com/example/keycloakresourceserver/SecurityConfiguration.java
@@ -2,6 +2,7 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -12,6 +13,7 @@
 @RequiredArgsConstructor
 @Configuration
 @EnableWebSecurity
+@EnableMethodSecurity
 public class SecurityConfiguration {
 
     private final JwtAuthConverter jwtAuthConverter;
@@ -24,6 +26,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                     authorize.requestMatchers("/v1/articles/minified").permitAll();
                     authorize.requestMatchers("/v1/articles/create").hasRole("ADMIN");
                     authorize.requestMatchers("/v1/articles/all").hasAnyRole("USER", "ADMIN");
+                    authorize.requestMatchers("/v1/articles/**").permitAll();
                     authorize.anyRequest().authenticated();
                 })
                 .oauth2ResourceServer(oauth2 -> oauth2